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ABSTRACT 


Reputation systems have been popular in estimating the trustwor- 
thiness and predicting the future behavior of nodes in a large-scale 
distributed system where nodes may transact with one another 
without prior knowledge or experience. One of the fundamental 
challenges in distributed reputation management is to understand 
vulnerabilities and develop mechanisms that can minimize the po- 
tential damages to a system by malicious nodes. In this paper, 
we identify three vulnerabilities that are detrimental to decen- 
tralized reputation management and propose TrustGuard — a 
safeguard framework for providing a highly dependable and yet 
efficient reputation system. First, we provide a dependable trust 
model and a set of formal methods to handle strategic malicious 
nodes that continuously change their behavior to gain unfair ad- 
vantages in the system. Second, a transaction based reputation 
system must cope with the vulnerability that malicious nodes may 
misuse the system by flooding feedbacks with fake transactions. 
Third, but not least, we identify the importance of filtering out 
dishonest feedbacks when computing reputation-based trust of a 
node, including the feedbacks filed by malicious nodes through 
collusion. Our experiments show that, comparing with existing 
reputation systems, our framework is highly dependable and effec- 
tive in countering malicious nodes regarding strategic oscillating 
behavior, flooding malevolent feedbacks with fake transactions, 
and dishonest feedbacks. 


Categories and Subject Descriptors 


C.2.4 [Distributed Systems]: Distributed Applications; 
C.4 [Performance of Systems]: Security, Reliability— 
Reputation Management, Overlay Networks 


General Terms 


Security, Performance, Reliability 


1. INTRODUCTION 


A variety of electronic markets and online communities have 
reputation system built in, such as eBay, Amazon, Yahoo! 
Auction, Edeal, Slashdot, Entrepreneur. Recent works [4, 
1, 3, 11, 19] suggested reputation based trust systems as 
an effective way for nodes to identify and avoid malicious 
nodes in order to minimize the threat and protect the sys- 
tem from possible misuses and abuses by malicious nodes 
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in a decentralized overlay networks. Such systems typically 
assign each node a trust value based on the transactions it 
has performed with others and the feedbacks it has received. 
For example, XRep [4] provides a protocol complementing 
current Gnutella protocol by allowing peers to keep track of 
and share information about the reputation of other peers 
and resources. EigenTrust [11] presents an algorithm similar 
to PageRank [15] that computes a trust value by assuming 
trust is transitive and demonstrated its benefits in address- 
ing fake file downloads in a peer-to-peer file sharing network. 

However, few of the reputation management work so far 
have focused on the vulnerabilities of a reputation system 
itself. One of the detrimental vulnerabilities is that a mali- 
cious node may strategically alter its behavior in a way that 
benefits itself such as starting to behave maliciously after it 
attains a high reputation. Another widely recognized vul- 
nerability is the shilling attack [12] where malicious nodes 
submit dishonest feedback and collude with each other to 
boost their own ratings or bad-mouth non-malicious nodes. 
Last, but not the least, malicious nodes can flood numerous 
fake feedbacks through fake transactions in a transaction- 
based feedback system. 

With these issues in mind, we present TrustGuard — a 
highly dependable reputation-based trust building frame- 
work. The paper has a number of unique contributions. 
First, we introduce a highly dependable trust model to effec- 
tively handle strategic oscillations by malicious nodes (Sec- 
tion 3). Second, we propose a feedback admission con- 
trol mechanism to ensure that only transactions with secure 
proofs can be used to file feedbacks (Section 4). Third, we 
propose feedback credibility based algorithms for effectively 
filtering out dishonest feedbacks (Section 5). We also present 
a set of simulation based experiments, showing the effective- 
ness of the TrustGuard approach in guarding against each of 
the above vulnerabilities with minimal overhead. We con- 
clude the paper with a brief overview of the related work 
(Section 7), and a conclusion (Section 8). 


2. TRUSTGUARD: AN OVERVIEW 


2.1 System Architecture 


We first present a high level overview of the TrustGuard 
framework '. Figure 1 shows a sketch of the decentralized 
architecture of the dependable reputation management sys- 
tem. The callout shows that each node has a transaction 
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Figure 1: TrustGuard’s Architecture 


manager, a trust evaluation engine and a feedback data stor- 
age service. Whenever a node n wants to transact with an- 
other node m, it calls the Trust Evaluation Engine to per- 
form a trust evaluation of node m. It collects feedback about 
node m from the network through the overlay protocol and 
aggregates them into a trust value. Such computation is 
guarded by strategic oscillation guard and dishonest feed- 
back filters. The Transaction Manager consists of four com- 
ponents. The trust-based node selection component uses 
the trust value output from the trust evaluation engine to 
make trust decisions before calling the transaction execution 
component. Before performing a transaction, the transac- 
tion proof exchange component is responsible for generating 
and exchanging transaction proofs. Once the transaction 
is completed, the feedbacks are manually entered by the 
transacting users. The transacting nodes then route these 
feedbacks to designated nodes on the overlay network for 
storage through a decentralized overlay protocol (e.g. DHT 
based protocol). The designated nodes then invoke their 
data storage service and admit a feedback only if it passes 
the feedback admission control where fake transactions are 
detected. The feedback storage service is also responsible 
for storing reputation and trust data on the overlay network 
securely, including maintaining replicas for feedbacks and 
trust values. We build the TrustGuard storage service on 
top of PeerTrust [19]. 

Although we implement the TrustGuard framework using 
a decentralized implementation that distributes the storage 
and computation of the trust values of the nodes, it is im- 
portant to note that one could implement TrustGuard using 
different degrees of centralization. At one extremity, third- 
party trusted servers could be used for both trust evalua- 
tion and feedback storage. One can also utilize the trusted 
servers to support only selected functionality, for example, 
the transaction proof exchange (Section 4). 

Finally, we assume that TrustGuard architecture is built 
on top of a secure overlay network. Thus, the overlay net- 
work should be capable of routing messages despite the pres- 
ence of some malicious nodes and ensure that all nodes can 
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be identified through some digital certification based mecha- 
nism. Readers may refer to [2, 18, 7] for a detailed discussion 
on security issues in overlay networks. 


2.2 Problem Statement and Solution Approach 


The TrustGuard framework is equipped with several im- 
portant safeguard components. In the rest of the paper, we 
focus on the following three types of vulnerabilities, analyze 
the potential threats and describe countermeasures against 
such vulnerabilities using TrustGuard. 

Strategic Oscillation Guard. Most existing reputation 
systems such as eBay use a combination of average feedbacks 
and the number of transactions performed by a node as indi- 
cators of its trust value. Our experiments show that using a 
simple average does not guard the reputation system against 
oscillating behavior or dishonest feedbacks. For example, a 
bad node may behave non-maliciously until it attains a good 
reputation (reflected in its trust value) and then behave ma- 
liciously. Or it could oscillate between building and milking 
reputation. A dependable reputation system should be able 
to penalize malicious nodes for such dynamic and strategic 
behavioral changes. In TrustGuard, we promote the incor- 
poration of the reputation history and behavior fluctuations 
of nodes into the estimation of their trustworthiness. We use 
adaptive parameters to allow different weighting functions 
to be applied to current reputation, reputation history, and 
reputation fluctuations. 

Fake Transaction Detection. In a typical transaction- 
based feedback system, after each transaction, the two par- 
ticipating nodes have an opportunity to submit feedbacks 
about each other. This brings two vulnerabilities. First, a 
malicious node may flood numerous ratings on another node 
with fake transactions. Second, a malicious node may sub- 
mit dishonest feedback about a transaction. A dependable 
trust model should be equipped with mechanisms to handle 
malicious manipulation of feedbacks to guard the system 
against such fake transactions, and to differentiate dishon- 
est feedback from honest ones. In TrustGuard approach, we 
propose to bind a feedback to a transaction through trans- 
action proofs. In other words, a feedback between nodes n 
and m on a given transaction is stored if and only if n and 
m indeed transacted with each other. 

Dishonest Feedback Filter. While the fake transaction 
detection guarantees that a feedback is associated with a 
real transaction, a malicious node may submit dishonest 
feedbacks in order to boost the ratings of other malicious 
nodes or bad-mouth non-malicious nodes. The situation is 
made much worse when a group of malicious nodes make 
collusive attempts to manipulate the ratings. In this paper, 
we build a dishonest feedback filter to differentiate dishon- 
est feedbacks from honest ones. The filter essentially assigns 
a credibility value to a feedback source and weights a feed- 
back in proportion with its credibility. We study two such 
credibility measures and their effectiveness in filtering out 
dishonest feedbacks in both non-collusive and collusive set- 
tings. 


3. STRATEGIC MALICIOUS NODES 


We define a strategic malicious node as a node that adapts 
its behavioral pattern (with time) so as to maximize its ma- 
licious goals. Consider a scenario wherein a bad node does 
not misbehave until it earns a high trust value. The scenario 
becomes more complicated when bad nodes decide to alter- 


nate between good and bad behavior at regular or arbitrary 
frequencies. In this paper, we primarily focus on strategic 
oscillations by malicious nodes and describe concrete and 
systematic techniques taken by TrustGuard to address both 
steady and sudden changes in the behavioral pattern of a 
node without adding heavy overheads to the system. Other 
possible behavioral strategies that could be employed by ma- 
licious nodes are not considered in this paper. 

A dependable trust model should be capable of handling 
the following four important issues: (P1) sudden fluctua- 
tions in node behavior, (P2) distinguish an increase and 
decrease in node behavior, (P3) tolerate unintentional er- 
rors, and (P4) reflect consistent node behavior. We propose 
a dependable trust model that computes reputation-based 
trust of a node by taking into consideration: current feed- 
back reports about the node, its historical reputation, and 
the fluctuations in the node’s current behavior. First, we 
present an optimization theory based cost metric (Section 
3.1) to formalize our design goals and then present Trust- 
Guard’s dependable trust model (Section 3.2). 


3.1 Cost Model 


The primary goal of our safeguard techniques is to maximize 
the cost that the malicious nodes have to pay in order to gain 
advantage of the trust system. We first formally define the 
behavior of a non-malicious and a malicious node in the sys- 
tem using the game theory approach [5]. A non-malicious 
node is the commitment type and a long-run player who 
would consistently behave well, because cooperation is the 
action that maximizes the player’s lifetime payoffs. In con- 
trast a strategic malicious node corresponds to an oppor- 
tunistic player who cheats whenever it is advantageous for 
him to do so. Now we formally describe a cost model for 
building reputation-based trust and use this cost model to 
illustrate the basic ideas of maximizing the cost (penalty) 
to be paid by anyone behaving maliciously. Let TVn(t) de- 
note the trust value as evaluated by the system for node n 
at time t (0 < TVn(t) < 1). Let BH, (t) denote the actual 
behavior of node n at time t (0 < BH,,(t) < 1), modeled as 
the fraction of transactions that would be honestly executed 
by node n between an infinitesimally small time interval t 
and t + dt. Then, we define the cost function for a node b 
as shown in Equation 1. 


lim ay 


t—0o 


t 
cost(b) = / (BHo(x) — TVe(x)) dx (1) 
0 
Let G be the set of good nodes and B be the set of bad nodes. 
The objective is Vg € G: TV,(t) ~ 1 and Vb € B : cost(b) 
is maximized. Figure 2 provides an intuitive illustration 
of the above cost function for a strategic malicious node 
oscillating between acting good and bad. Referring to Figure 
2, observe that the problem of maximizing the cost paid by 
the malicious nodes can be reduced to maximizing the area 
under Y,,(t)— X(t), that is, minimizing the extent of misuse 
(Xn(t) = max(TV,()- BHn(t),0)) and maximizing the cost 
of building reputation (Yn(t) = max(BH,(t) — TVn (t), 0)). 
In addition to maximizing the cost metric, we require 
TrustGuard to ensure that any node behaving well for an 
extended period of time attains a good reputation. How- 
ever, we should ensure that the cost of increasing a node’s 
reputation depends on the extent to which the node misbe- 
haved in the past. 
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Figure 2: Cost of Building Reputation 


3.2 Dependable Trust Model 


Bearing the above analysis in mind, we present TrustGuard’s 
dependable trust model in this section. Let R(t) denote the 
raw trust value of node n at time t. Any of the existing 
trust evaluation mechanisms such as [19, 11] can be used 
to calculate R(t). The simplest form can be an average 
of the ratings over the recent period of time. Let TV (t) 
denote the dependable trust value of node n at time t and we 
compute TV (t) using Equation 2. Note that R’ (t) denotes 
the derivative of R(x) at x = t. 


TVO) =a RW) 49% | Rede + ys RO (2) 


Equation 2 resembles a Proportional-Integral-Derivative con- 
troller used in control systems [14]. The first component 
(proportional) refers to the contribution of the current re- 
ports received at time t. The second component (integral) 
represents the past performance of the node (history infor- 
mation). The third component (derivative) reflects the sud- 
den changes in the trust value of a node in the very recent 
past. Choosing a larger value for œ biases the trust value 
of a node n to the reports currently received about n. A 
larger value of @ gives heavier weight to the performance 
of the node n in the past. The averaging nature of the 
proportional and integral components enables our model to 
tolerate errors in raw trust values R,,(t) (P3) and reflect 
consistent node behavior (P4). A larger value of y ampli- 
fies sudden changes in behavior of the node in the recent 
past (as indicated by the derivative of the trust value) and 
handles sudden fluctuations in node behavior (P1). We dis- 
cuss techniques to distinguish increase and decrease in node 
behavior (P2) later in this Section. 

We now describe a simple discretized implementation of 

the abstract dependable trust model described above. For 
simplicity, we assume that the trust values of nodes are up- 
dated periodically within each time period T. Let successive 
time periods (intervals) be numbered with consecutive inte- 
gers starting from zero. We call TV [i] the dependable trust 
value of node n in the interval i. TV [i] can be viewed as a 
function of three parameters: (1) the feedback reports re- 
ceived in the interval i, (2) the integral over the set of the 
past trust values of node n, and (3) the current derivative 
of the trust value of node n. 
Incorporating feedbacks by computing Rii]. Let R[i] 
denote the raw reputation value of node n computed as an 
aggregation of the feedbacks received by node n in interval 
i. Let us for now assume that all the feedbacks in the sys- 
tem are honest and transactions are not faked. In such a 
scenario, R[i] can be computed by using a simple average 
over all the feedback ratings received by node n in time in- 
terval 7. We defer the extension of our safeguard to handle 
dishonest feedbacks and fake transactions later to sections 4 
and 5 respectively. 


Incorporating History by Computing Integral. We 
now compute the integral (history) component of the trust 
value of node n at interval i, denoted as Hfi]. Suppose 
the system stores the trust value of node n over the last 
maxH (maximum history) intervals, H[i] could be derived 
as a weighted sum over the last maxH reputation values of 
node n using Equation 3. 


maxH 
z ; w 
Hij= So REER * Saar (3) 
k=1 k=1 k 


The weights wọ could be chosen either optimistically or pes- 
simistically. An example of an optimistic summarization is 
the exponentially weighted sum, that is, w = p*~' (typ- 
ically, p < 1). Note that choosing p = 1 is equivalent to 
H being the average of the past maxH reputation values of 
node n. Also, with p < 1, H gives more importance to the 
more recent reputation values of node n. We consider these 
evaluations of H optimistic since they allow nodes to attain 
higher trust values rather quickly. On the contrary, a pes- 
simistic estimate of H could be obtained with wą = EEH: 
Such an evaluation assigns more importance to those inter- 
vals where the node behaved particularly badly. 
Strengthening the dependability of TV[i]. Once we 
have calculated the feedback-based reputation (A[#]) for the 
node n in the interval į and its past reputation history (H [i]), 
we can use Equation 4 to compute the derivative component 
(D[i]). Note that Equation 4 uses Hi] instead of R[i — 1] 
for stability reasons. 


Dii] 


= Rļi] - Hfi] (4) 


We now compute the dependable trust value TV [i] for 
node n in the interval 7 using Equation 5: 


TV[i] = a Rļi] + 8 * Ali] + y(D[i]) * DU) 
where y(x) = J1 if x > 0 and q(x) = y2 if x < 0 


(5) 


In this equation, TV [i] is derived by associating different 
weights yı and 2 for a positive gradient and a negative gra- 
dient of the trust value respectively, enhancing the depend- 
ability of TV [i] with respect to sudden behavioral changes 
of node n. One of the main motivations in doing so is to set 
yı < B < %2, thereby increasing the strength of the deriva- 
tive component (with respect to the integral component) 
when a node shows a fast degradation of its behavior, and 
lowering the strength of the derivative component when a 
node is building up its reputation (recall P2 in our design 
goal). Our experiments (see Section 6) show that one can 
use the rich set of tunable parameters provided by Equation 
5 to handle both steady and sudden changes in the behavior 
of a strategic malicious node. 


3.3 Fading Memories 


In TrustGuard, we compute the dependable trust value 
of a node n in interval 7 based on its current reputation, 
its reputation history prior to interval i and its reputation 
fluctuation. In computing reputation history, we assume 
that the system stores the reputation-based trust values of 
node n for the past maxH number of intervals. By using a 
smaller value for maxH, we potentially let the wrong-doings 
by a malicious node to be forgotten in approximately maxH 
time intervals. However, using a very large value for maxH 
may not be a feasible solution for at least two reasons: (i) 
The number of trust values held on behalf of a long standing 
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Figure 3: Updating Fading Memories: FTV/i] de- 
notes the faded values at time t and FTV’'|i] denotes 
the faded values at time t+ 1 


member of the system could become extremely large. (ii) 
The computation time for our trust model (Equations 3 and 
5) increases with the amount of data to be processed. In the 
first prototype of TrustGuard, we introduce fading memories 
as a performance optimization technique to reduce the space 
and time complexity of computing TV [i] by allowing a trade- 
off between the history size and the precision of the historical 
reputation estimate. 

We propose to aggregate data over intervals of exponen- 
tially increasing length in the past {k°,k',--- ,k™~'} into 
m values (for some integer k > 0). Observe that the aggre- 
gates in the recent past are taken over a smaller number of 
intervals and are hence more precise. This permits the sys- 
tem to maintain more detailed information about the recent 
trust values of node n and retain fading memories (less de- 
tailed) about the older trust values of node n. Given a fixed 
value to the system-defined parameter m, one can trade-off 
the precision and the history size by adjusting the value of 
k. 

Now we describe how we implement fading memories in 
TrustGuard. To simplify the discussion, let us assume that 
k = 2. With fading memory optimization, our goal is to 
summarize the last 2” — 1 OD 2t = 2™ — 1) trust values 
of a node by maintaining just m (=log,(2™)) values. This 
can be done in two steps. (i) we need a mechanism to ag- 
gregate 2™ — 1 trust values into m values, and (ii) we need 
a mechanism to update these m values after each interval. 

TrustGuard performs Step 1 as follows. In the interval 
t, the system maintains trust values in intervals t — 1,t — 
2,--- ,t— 2™ in the form of m trust values by summarizing 
intervals t — 27,t — 27 —1,--- ,t-27t+ +1 for every j (j = 
0,1,--- ,m — 1), instead of maintaining one trust value for 
each of the 2” — 1 time intervals. Figure 3 provides an 
example where k = 2 and m = 3. 

Now we discuss how TrustGuard performs Step 2. Let 
FTV*|j] (0 < j < m — 1) denote the faded trust val- 
ues of node n at interval t. Ideally, re-computing FTV 
for interval t requires all of the past 2” — 1 trust values. 
With fading memories we only store m summarization val- 
ues instead of all the 2” — 1 trust values. Thus, at inter- 
val t we approximate the trust value for an interval t — i 
(1 <i <2”) by FTV’'||log, i|]. We use Equation 6 to ap- 
proximate the updates to the faded trust values for interval j 
(j = 0,1,2,--- ,m—1) with the base case FTV‘*" [0] = Rid]. 


Figure 3 gives a graphical illustration of Equation 6 for 
m= 3. 


_ (FTV'[j] * (27 — Lp Ag — 1) 


tir. 
FTV" [j] z 


(6) 
4. FAKE TRANSACTIONS 


We have presented a dependable trust metric, focusing on 
incorporating reputation history and reputation fluctuation 
to guard a reputation system from strategic oscillation of 
malicious nodes. We dedicate this and the next section to 
vulnerabilities due to fake transactions and dishonest feed- 
backs and their TrustGuard countermeasures. 

In TrustGuard, we tackle the problem of fake transac- 
tions by having a feedback bound to a transaction through 
a transaction proof such that a feedback can be successfully 
filed only if the node filing the feedback can show the proof of 
the transaction. Our transaction proofs satisfy the following 
properties: (i) Transaction proofs are unforgeable, and are 
hence generated only if the transacting nodes indeed wished 
to transact with each other, and (ii) Transaction proofs are 
always exchanged atomically; that is, a malicious node m 
cannot obtain a proof from a non-malicious node n without 
sending its own proof to node n. The atomicity property 
of the exchange of proofs guarantees fairness; that is, each 
of the transacting parties would be able to file feedbacks 
at the end of the transaction. In the absence of exchange 
atomicity a malicious node m could obtain a proof from 
node n but not provide its proof to the non-malicious node 
n; hence, a non-malicious node n may never be able to file 
complaints against the malicious node m. Note that if the 
entire system is managed by a centralized trusted authority 
(like eBay) then one can completely eliminate the problem 
of fake transactions. Our focus is on building a distributed 
and decentralized solution to handle fake transactions. 

We first present a technique to generate unforgeable proofs 
that curb a malicious node from flooding feedbacks on other 
non-malicious nodes. Then we employ techniques based on 
electronic fair-exchange protocol to ensure that transaction 
proofs are exchanged fairly (atomically). It is important to 
note that the proofs act as signed contracts and are thus 
exchanged before the actual transaction takes place. If the 
exchange fails, a good node would not perform the transac- 
tion. Nonetheless, if the exchange were unfair, a bad node 
could file a feedback for a transaction that never actually 
happened. 

Note that the fake transaction detection does not prevent 
two collusive malicious nodes from faking a large number 
of transactions between each other, and further give good 
ratings with exchanged transaction proofs. This type of col- 
lusion will be handled by our next safeguard - dishonest 
feedback filter. 


4.1 Unforgeable Transaction Proofs 


A simple and secure way to construct proofs of transactions 
is to use a public key cryptography based scheme. Assume 
that every node n has an associated pair of public key and a 
private key pair, namely, (PKn, RKn). We assume that the 
public keys are tied to nodes using digital certificates that 
are notarized by trusted certification authorities. A trans- 
action T is defined as T = (Ten Descr) || (time stamp), 
where (Tn Descr) is a description of the transaction and 
the symbol || denotes string concatenation. Node n signs the 
transaction with its private key to generate a transaction 
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proof PT = RK,(T) and send it to node m. If the proofs 
are fairly exchanged then node n would obtain RKm(T) as 
a proof of transaction T with node m and vice versa. The 
key challenge now is how to exchange proofs atomically to 
guarantee fairness. 


4.2 Fair Exchange of Transaction Proofs 


Significant work has been done in the field of fair elec- 
tronic exchange [16, 13], aiming at guaranteeing exchange 
atomicity. There are several trade-offs involved in employ- 
ing a fair-exchange protocol in the context of reputation 
management. In this section we analyze the feasibility of 
trust value based fair-exchange protocol and optimistic fair- 
exchange protocol for TrustGuard. 

Trust Value based Fair-Exchange Protocol. Intuitively, 
one could achieve fair exchange of proofs between nodes n 
and m ( TVn > TVm) by enforcing that the lower trust value 
node m sends its proof first to the higher trust value node n; 
following which the higher trust value node n would send its 
proof to the lower trust value node m. However, this solu- 
tion is flawed. For example, a malicious node m with a high 
trust value may always obtain a proof from non-malicious 
node n with a lower trust value, but not deliver its proof 
to node n. Hence, a malicious node may pursue its ma- 
licious activities indefinitely without being detected by the 
trust system. 

Optimistic Fair-Exchange Protocol. In the first proto- 
type of TrustGuard, we adopt an optimistic fair-exchange 
protocol for exchanging transaction proofs. Optimistic fair- 
exchange protocols guarantee fair-exchange of two electronic 
items between two mutually distrusting parties by utilizing 
trusted third parties (ttp). However, they reduce the in- 
volvement of a ttp to only those exchanges that result in a 
conflict. Assuming that most of the parties in an open elec- 
tronic commerce environment are good, the ttp is hopefully 
involved infrequently. 

In particular, TrustGuard adopts the optimistic protocol 
for fair contract signing proposed by Micali [13]. The pro- 
tocol assumes that the transacting parties n and m have 
already negotiated a would-be contract C. The nodes n and 
m now need to exchange the signed contracts, (RAn(C) and 
RKm(C)) fairly. The protocol guarantees that if both the 
nodes commit to the contract then node n has a proof that 
node m has committed to the contract C and vice-versa; 
even if one of the parties does not commit to the contract 
C then neither party gets any proof of commitment from 
the other party. We map this protocol for fairly exchang- 
ing transaction proofs by using contract C as C = T = 
(Tan Descr) || (time stamp). 

One of the major advantages of using such an optimistic 
fair-exchange protocol is that the ttp need not be always 
online. The ttp can infrequently come up online and resolve 
all outstanding conflicts before going offline. A strategic 
malicious node could exploit the delay in conflict resolution 
as shown in Figure 4. Let us assume that the ttp stays online 
for a time period Ton and then stays offline for a time period 
Toss. When the malicious node is building reputation, it 
behaves honestly and exchanges transaction proofs fairly (Y 
in Figure 4). However, after the malicious node has attained 
high reputation, it unfairly exchanges several proofs with 
other nodes in the system. By synchronizing the schedule 
of the ttp, the malicious node can ensure that none of the 
conflicts caused by its malicious behavior is resolved within 
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ap — — Trust Value 
x X: Extent of Misuse 
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Figure 4: Cost of Building Reputation with Delayed 
Conflict Resolution 


Tory time units (X in Figure 4). Hence, despite of the fact 
that the malicious node behaved badly over a period of Tos 5 
time units its reputation does not fall. However, the moment 
all outstanding conflicts are resolved, the malicious node’s 
reputation falls very steeply. Observe that cost paid by a 
malicious node (see Equation 1) is much lower in Figure 4 
when compared to Figure 2 (wherein Toff = 0). 

In conclusion, one needs to choose Tos ¢ very carefully so 
that: (i) the attackers do not have enough time to compro- 
mise the trusted third party, and (ii) maximize the cost paid 
by those malicious nodes that strategically exploit delayed 
conflict resolution. 


5. DISHONEST FEEDBACKS 


In the previous section we have discussed techniques to en- 
sure that both transacting nodes have a fair chance to sub- 
mit feedbacks. In this section we extend our safeguard model 
to handle dishonest feedbacks. The goal of guarding from 
dishonest feedbacks is to develop algorithms that can effec- 
tively filter out dishonest feedbacks filed by malicious nodes 
in the system. 

We propose to use a credibility factor as a filter in es- 
timating the reputation-based trust value of a node in the 
presence of dishonest feedbacks. Recall that we use TV, 
to denote the dependable trust value of node n and R,, to 
denote the reputation-based trust value of node n without 
incorporating past history (Integral component) and fluctu- 
ations (Derivative component). The main idea of using a 
credibility-based feedback filter in computing R, is to as- 
sign higher weight to the credible feedbacks about node n 
and lower weight to the dishonest ones. 

Concretely, we first extend the naive average based com- 
putation of trust value (Section 3.2) into a weighted aver- 
age. Let I(n) denote the set of interactions (transactions) 
performed by node n. Let F„(u) denote the normalized 
feedback rating (between 0 and 1) that a node n receives 
after performing an interaction u with another node. Let 
C Rn (u) denote the feedback credibility of the node u.x who 
submitted the feedback about node n after interaction u. 
The reputation-based trust of node n can be computed as 
Rn = Yiuer(ny Falu) * CRn(u). The information about 
the set of transactions performed (I(n)) and the feedbacks 
received (F(u) for u € I(n)) can be collected automati- 
cally [19]. Our goal is to design a credibility filter function 
that is most effective in ensuring that more credible feed- 
backs are weighted higher and vice-versa. 

A simple and intuitive solution is to measure feedback 
credibility of a node n using its trust value TV,,. We call it 
the Trust-Value based credibility Measure (TVM for short). 
Let TVa.x denote the trust value of node u.x who had in- 
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teraction u with node n. We can compute the trust value 
based credibility measure of node u.x in the interaction u, 
denoted by CRIV” (u), using Equation 7. 


Seite TVu. 


Several existing reputation-based trust systems use TVM 
or its variant to measure feedback credibility [19, 11]. The 
TVM solution is based on two fundamental assumptions. 
First, untrustworthy nodes are more likely to submit false 
or misleading feedbacks in order to hide their own malicious 
behavior. Second, trustworthy nodes are more likely to be 
honest on the feedback they provide. It is widely recognized 
that the first assumption is generally true but the second as- 
sumption may not be true. For example, it is possible that 
a node may maintain a good reputation by providing high 
quality services but send malicious feedbacks to its competi- 
tors. This motivates us to design a more effective credibility 
measure. 

We propose to use a personalized similarity measure (PSM 
for short) to rate the feedback credibility of another node 
x through node n’s personalized experience. Concretely, a 
node n will use a personalized similarity between itself and 
node x to weigh all the feedbacks filed by node x on any 
other node (say y) in the system. Let IJS(n, x) denote the 
set of common nodes with whom both node n and x have 
interacted, and I (n, r) denotes the collection of interactions 
between node n and node r. We compute similarity between 
node n and x based on the root mean square of the differ- 
ences in their feedback over the nodes in IJS(n, x). More 
specifically, given a node m and an interaction u € I(m) 
performed by node m with node u.x, node n computes a per- 
sonalized similarity-based credibility factor for u, denoted as 
CRẸ®™ (u), using Equation 8. 


CR,” (u) = (7) 


Sim(n, u.x) 


PSM l 
CR, (u) = LE Sia where (8) 
A(n,r) — A(x, r))? 
Sim(n,z) = 1 rersrs(n,a) ( (n,r) (x,r)) 
[17S(n,2)| 
Fy(v 
A(n,r) = X verm) Fn) 


|I(n,r)| 


This notion of personalized (local) credibility measure pro- 

vides a great deal of flexibility and stronger predictive value 
as the feedback from similar raters are given more weight. 
It also acts as an effective defense against potential mali- 
cious cliques of nodes that only give good ratings within the 
clique and give bad rating outside the clique. Using per- 
sonalized credibility to weight the feedbacks will result in a 
low credibility for dishonest feedbacks by malicious cliques. 
This is particularly true when measuring the feedback sim- 
ilarity between a node m in a clique and a node n outside 
the clique. Our experiments show that PSM outperforms 
TVM when the percentage of malicious nodes become large 
and when the malicious nodes collude with each other. 


6. EVALUATION 


In this section, we report results from our simulation based 
experiments to evaluate TrustGuard’s approach to build de- 
pendable reputation management. We implemented our 
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Figure 5: Model I 


simulator using a discrete event simulation [8] model. Our 
system comprises of about N = 1024 nodes; a random p% 
of them is chosen to behave maliciously. In the following 
portions of this section, we demonstrate the effectiveness of 
the three guards that we have proposed in this paper. 


6.1 Guarding from Strategic Node Behaviors 


In this section we evaluate the ability of our trust model to 
handle dynamic node behaviors. We first study the behavior 
of our guard against strategic oscillations by comparing the 
optimistic and pessimistic summarization techniques. We 
demonstrate the significance of various parameters in our 
dependable trust metrics by varying the weights assigned to 
reports received in the recent time window (a), the history 
(3), and the derivative component (y). Then, we show the 
impact of history size (maxH) on the effectiveness of our 
trust model and the advantages of storing past experiences 
using fading memories. 

For all experiments reported in this section, we studied 
four different models of strategic malicious behaviors (refer 
Section 3.1 for the definition of node behavior). In Model I 
shown in Figure 5, the malicious nodes oscillate from good to 
bad behavior at intervals of regular time periods. In model 
II, the malicious nodes oscillate between good and bad be- 
haviors at exponentially distributed intervals. In model III, 
the malicious nodes choose a random level of goodness and 
stay that level for an exponentially distributed duration of 
time. In model IV the malicious node shows a sinusoidal 
change in its behavior that is the node steadily and continu- 
ously changes its behavior unlike models I, II and III which 
show sudden fluctuations. 


6.1.1 Comparing Optimistic and Pessimistic Summa- 
rizations 


We first compare the two types of weighted summarization 
techniques discussed in Section 3.2. Figure 6 shows the 
values obtained on summarization given the node behavior 
model I shown in Figure 5 (using p = 0.7, maxH = 10 
and time period of malicious behavior oscillation = 10). 
The result shows that mean value (mean) and exponentially 
weighted sum (exp) have similar effect and they both are 
more optimistic than the inverse trust value weighted sum 
(invtv). Observe that the more pessimistic a summarization 
is, the harder it is for a node to attain a high trust value in a 
short span of time and the easier it is to drop its trust value 
very quickly. Also observe that the exponentially weighted 
sum in comparison to the mean rises quite steeply making 
it unsuitable for summarization. 


Figure 6: Optimistic versus Pes- 
simistic Summarization 


Figure 7: Effect of Varying Param- 
eters in the Trust Model 


6.1.2 Trust Model Parameters 


Figure 7 shows the results obtained from our trust model 
with various parameter settings under the malicious behav- 
ior shown in model I (m1). alpha shows the results obtained 
when a is the dominant parameter (a >> 6, y). With a dom- 
inant a the trust model almost follows the actual behavior of 
the node since it amounts to disregarding the history or the 
current fluctuations in the behavior of the node (see Equa- 
tion 2). beta-invtv shows the results obtained with @ as 
the dominant parameter using inverse trust value weighted 
sum. With more importance given to the behavior history 
of a node, the trust value of a node does not change very 
quickly. Instead it slowly and steadily adapts to its actual 
behavior. gamma shows the results obtained with y being 
the dominant factor. With a large y the trust value responds 
very swiftly to sudden changes in the behavior of the node. 
Observe the steep jumps in the trust value that correspond 
to the time instants when the node changes its behavior. 
These results match our intuition, namely, a, 8 and y are 
indeed the weights attached to the current behavior, his- 
torical behavior and the fluctuations in a node’s behavior. 
Finally, non-adaptive shows the trust value of a node in the 
absence of dependable schemes to handle dynamic node be- 
haviors. From Figure 7 it is evident that the cost paid by 
a malicious node in a non-adaptive model is almost zero, 
while that in a dependable model is quite significant. A 
more concrete evaluation that considers the combined effect 
of various trust model parameters is a part of our ongoing 
work. 


6.1.3 Varying History Size 

In this section we show the effect of history size maxH on 
the cost (see Equation 1) paid by malicious nodes. Figure 
8 shows a scenario wherein the malicious nodes oscillate in 
their behavior every 10 time units. Note that in this exper- 
iment we used a = 0.2, 6 = 0.8, yı = 0.05 and y2 = 0.2. 
Based on our experiences with the dependable trust model 
one needs to choose a and 8 such that £ is comparable to 
maxH (intuitively, this weights the history component in 
proportion to its size (maxH)). Note that this experiment 
uses maxH = 5 which is less than the time period of os- 
cillations by the malicious nodes. From Figure 8 it is clear 
that the dependable trust models (TrustGuard-adaptive in 
figure) performs better in terms of cost to be paid by the 
malicious nodes than the non-adaptive trust model (recall 
the cost model in Section 3.1). However, this does not en- 
tirely maximize the cost paid by malicious nodes. Figure 
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Figure 8: Trust Model with a Small 


History History 


9 shows the trust values obtained when a = 0.1, 6 = 0.9, 
yı = 0.05, y2 = 0.2 and maxH = 15 (larger than the time 
period of oscillation by the malicious node). Clearly, having 
a larger history ensures that one can maximize the cost paid 
by the malicious nodes. In fact, one observes that the cost 
paid by malicious nodes for maxH equal to 5, 10 and 15 
are in the ratio of 0.63 : 1 : 3.02 respectively. This obser- 
vation tells us that if a strategic malicious node knew that 
maxH = 5, then it would oscillate at a period equal to 5 
time intervals since anyway the system does not remember 
its past performance beyond 5 time intervals. In short, by 
knowing the exact value of maxH, a strategic malicious node 
would start to oscillate with time period equal to maxH so 
as to minimize its cost. It is interesting to note that, when 
the non-adaptive model is used, the cost paid by malicious 
nodes is close to zero for all values of time period of behavior 
oscillation and history size maxH. 


6.1.4 Fading Memories 


We now evaluate the effectiveness of the fading memories 
technique in efficiently storing the performance of a node 
over the last 2'"**” intervals using a logarithmically small 
number of values. Figure 10 shows the effect of using fad- 
ing memories when a malicious node oscillates with time 
period equal to 100 time units. It compares a dependable 
trust model ( TrustGuard-adaptive in figure) with maxH = 
10 and a dependable trust model using fading memories 
(TrustGuard-ftv in figure) based technique with m = 8. 
From Figure 10 it is apparent that using a simple adaptive 
technique with maxH = 10 enables a bad node to recover 
from its bad behavior that stretched over 100 time units in 
just 10 additional time units, since the past performance 
of the node is simply forgotten after 10 time units. As we 
discussed in Section 3, one of the design principles for de- 
pendable trust management is to prevent a bad node that 
has performed poorly over an extended period of time to at- 
tain a high trust value quickly. Clearly, the adaptive fading 
memories based technique can perform really well in this re- 
gard, since using just 8 values, it can record the performance 
of the node over its last 256 (2°) time intervals. It is impor- 
tant to note that the solution based on fading memories has 
bounded effectiveness in the sense that by setting m = 8, 
any node could erase its malicious past over 256 time inter- 
vals. However, the key benefit of our fading memories based 
approach is its ability to increase the cost paid by malicious 
nodes, with minimal overhead on the system performance. 


Time 


Figure 9: Trust Model with a Large 
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Figure 10: Trust Model with Fad- 
ing Memories 


6.1.5 Other Strategic Oscillation Models 


We also studied the cost of building reputation under dif- 
ferent bad node behavior models discussed in the beginning 
of Section 6.1. From our experiments, we observed that 
the response of our trust model towards models II, III and 
IV are functionally identical to that obtained from model 
I (Figure 5). However, from an adversarial point of view, 
we observed that these strategies do not aid in minimizing 
the cost to be paid by malicious nodes to gain a good rep- 
utation when compared to model I. In fact, the cost paid 
by malicious nodes using models I, II, III and IV are in the 
ratio of 1 : 2.28 : 2.08 : 1.36. In models II and III, the mali- 
cious nodes do not pursue their malicious activities the very 
moment they attain a high reputation. In model IV, the 
malicious nodes slowly degrade their behavior, which does 
not given them good benefits (see the extent of misuse Xn (t) 
in Figure 2) when compared to a steep/sudden fall. Hence, 
a strategic malicious node that is aware of maxH would 
oscillate with time period maxH in order to minimize its 
cost (refer Equation 1). Nonetheless this emphasizes the 
goodness of our dependable trust model since it is capable 
of effectively handling even its worst vulnerability (model I 
with oscillation time period maxH). 


6.2 Guarding from Fake Transactions 


In this section we study the feasibility of using optimistic 
fair-exchange protocol for exchanging transaction proofs. 


6.2.1 Trust Value Based Protocol Vs Optimistic Pro- 
tocol 


Figure 11 shows the percentage of fair exchange of transac- 
tion proofs with progress in time for the two exchange proto- 
cols discussed in Section 4, namely the trust value based fair 
exchange protocol and the optimistic fair exchange protocol. 
The experiment measures the percentage of fair transactions 
when 20% of the nodes are malicious. The trust value based 
exchange scheme suffers because a strategic malicious node 
may gain high trust value initially and then fake arbitrarily 
large number of transactions by unfairly exchanging trans- 
action proofs without being detected by the system. 


6.2.2 Trusted Server Offline Duration in Optimistic 
Protocol 


As we have discussed in Section 4, it is important to decrease 
the amount of time the trusted third party server is online so 
as to make it less susceptible to attackers. However, doing 
so increases the amount of time it takes to resolve a conflict. 
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Transaction Proofs: Optimistic Vs 
Trust-Value Based Exchange Pro- 
tocol 
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Table 1: Relative Cost paid by Malicious Nodes Vs 
Tors (normalized by mazH) 


We have shown in Section 4.2 that a malicious node can ex- 
ploit the delay in conflict resolution to may ensure that none 
of its malicious activities be made visible to the trust man- 
agement system for Toss units of time. In this experiment, 
we show how the transaction success rate varies with Toff, 
the time period for which the trusted third party server is 
offline. 

Table 1 shows the normalized cost (see Equation 1) paid 
by malicious nodes when we introduce a delay in conflict 
resolution. We have normalized Tos with the history size 
(mazH) maintained by TrustGuard’s adaptive trust model 
(see Section 3). Figure 1 shows that in order to keep the 
cost from dropping more that 10%, Toff should be no more 
than 5% of maxH. Note that this is another scenario where 
fading memories (see Section 3) helps the system. Fading 
memories essentially allow the history size (maxH) to be 
very large and hence the duration of the time for which a 
trusted third party server is offline could be sufficiently large 
without significantly decreasing the cost paid by malicious 
nodes. 


6.3 Guarding from Dishonest Feedbacks 


In this section we present an evaluation of our algorithm 
to filter dishonest feedbacks (Section 5). Recall that the 
fake transaction guard does not prevent fake transactions 
between two malicious nodes. So, we simulated two settings, 
namely, non-collusive and collusive setting. In the collusive 
setting, a group of collusive malicious nodes may attempt 
to deterministically boost their ratings by providing highly 
positive feedbacks on each other through innumerable fake 
transactions. 

Figures 12 and 13 show the error in trust computation as 
a function of the fraction of malicious nodes in the system in 
a non-collusive and a collusive setting respectively. Observe 
that the naive technique (an average of the feedback without 
credibility factor) for computing trust drops almost linearly 
with fraction of malicious nodes. Also, the naive technique 
and the TVM approach are extremely sensitive to collusive 
attempts even when the number of malicious nodes is very 
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small. On the other hand, the PSM approach remains ef- 
fective even with both large fraction of malicious nodes and 
collusion. Recall that PSM computes a personalized trust 
value and hence, the trust value of a node may be different 
from the perspective of various other nodes in the system. 
For example, the trust value of a node m from the perspec- 
tive of other nodes within its clique may be very high, and 
yet, the trust value of node m as seen by other nodes in the 
system might be very low. Therefore, the similarity met- 
ric used by PSM is very effective even in an overwhelming 
presence of collusive malicious nodes. 


7. RELATED WORK 


Dellarocas [5] provides a working survey for research in game 
theory and economics on reputation. The game theory based 
research lays the foundation for online reputation systems 
research and provides interesting insights into the complex 
behavioral dynamics. 

Related to reputation systems that help establishing trust 
among entities based on their past behaviors and feedbacks, 
there is research on propagating trust among entities based 
on their trust relationship. E.g. Yu and Singh [20] proposed 
a framework based on a gossip protocol. Richardson et al. 
[17] developed a path-algebra model for trust propagation. 
Very recently, Guha et al. [9] developed a formal framework 
for propagating both trust and distrust. The TrustGuard 
framework is capable of accomodating these algorithms by 
replacing its dishonest feedback guard. 

In the P2P domain reputation management systems like 
P2Prep [3], Xrep [4] and EigenTrust [11] have emerged. 
P2PRep provides a protocol on top of Gnutella to estimate 
trustworthiness of a node. It does not discuss trust met- 
rics in detail and does not have evaluations. XRep extends 
P2PRep by assigning a reputation value for both peers and 
resources. EigenTrust assumes that trust is transitive and 
addresses the weakness of the assumption and the collusion 
problem by assuming there are pre-trusted nodes in the sys- 
tem. We argue that pre-trusted nodes may not be available 
in all cases. More importantly, neither of these reputation 
management systems addresses the temporal dimension of 
this problem (strategic behavior by malicious nodes) and 
the problem of fake transactions. 

Dellarocas [6] has shown that storing feedback informa- 
tion on the most recent time interval is enough; and that 
summarizing feedback information for more than one win- 


dow of time interval does not improve the reputation system. 
However, this result subsumes that there are no errors in the 
feedbacks and that all nodes behave rationally. In the pres- 
ence of dishonest feedbacks there are bound to be errors in 
identifying a honest feedback from a dishonest one. Further, 
our experiments show that the history component helps in 
stabilizing the system by avoiding transient fluctuations due 
to transient errors or dishonest feedbacks. 

B. Yu and M. P. Singh [20] suggest refining personal opin- 
ions differently for cooperation and defection and achieves 
a certain level of adaptivity. Our dependable trust model 
is based upon the PID controller popularly used in control 
theory [14], as against ad hoc techniques suggested in their 
paper. 

S. K. Lam and J. Riedl [12] experimentally studied sev- 
eral types of shilling attacks on recommender systems. Our 
experiments show that TrustGuard is resistant to random 
shilling attacks. As a part of our future work, we hope 
to model and analyze different types of shilling attacks on 
reputation systems and enhance our algorithms to further 
counter them. 

Fair exchange protocols [16, 13, 10] have been the prime 
focus of researchers working in the field of electronic com- 
merce. Ray and Ray [16] provides a survey on fair exchange 
of digital products between transacting parties. They com- 
pare various algorithms including trusted third parties, true 
& weak fair exchanges, gradual exchanges and optimistic ex- 
changes. In this paper, we used an optimistic fair-exchange 
protocol proposed by Micali [13] for fair-contract signing. 


8. CONCLUSION 


We have presented TrustGuard — a framework for build- 
ing distributed dependable reputation management systems 
with the countermeasures against three detrimental vulner- 
abilities, namely, (i) strategic oscillation guard, (ii) fake 
transaction guard, and (iii) dishonest feedback guard. In 
TrustGuard we promote a modular design such that one 
could add more safeguard components, or replace the tech- 
niques for one module without having to worry about the 
rest of the system. The main contribution of this paper 
is threefold. First, we proposed to measure the trustworthi- 
ness of peers based on current reputation, reputation history 
and reputation fluctuation and develop formal techniques to 
counter strategic oscillation of malicious nodes. Second, we 
presented electronic fair-exchange protocol based techniques 
to rule out the possibility of faking transactions in the sys- 
tem. Third, we developed algorithms to filter out dishon- 
est feedbacks in the presence of collusive malicious nodes. 
We have demonstrated the effectiveness of these techniques 
through an extensive set of simulation based experiments. 
We believe that the TrustGuard approach can efficiently and 
effectively guard a large-scale distributed reputation system, 
making it more dependable than other existing reputation- 
based trust systems. 
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